Privacy Report - Introduction

Introduction from the Assistant Secretary,

National Telecommunications and Information Administration

The Global Information Infrastructure has tremendous potential to bring economic, social and cultural benefits to America and its citizens. Because it will facilitate and expand the flow of information between people and from place to place, the GII promises enhanced educational and employment opportunities, greater citizen participation, and improved delivery of government services. Information technologies promise to revolutionize the manner in which commerce is transacted domestically and across international borders. The GII has provided faster, cheaper, and more reliable communication of business data, so that great distances and multiple time zones are no longer barriers to transacting business.

But while information technologies can bring these benefits to Americans, they also present new challenges to individual privacy. Not only does the GII make the collection, storage, and transmission of large amounts of personal data possible, use of the GII creates information trails that, without proper safeguards, could reveal the personal details of people's lives. Failure to recognize and protect the privacy interests could slow the growth of the GII. If we are to realize the full potential of the information infrastructure, the legitimate privacy interests of users of the GII must be acknowledged and protected.

This report explores the extent to which self-regulation can be an effective means of reducing these concerns, as well as the benefits, challenges and limitations of self-regulatory privacy regimes.

The National Telecommunications and Information Administration has worked to ensure that all of the benefits of rapid, efficient information exchange are achieved without sacrificing privacy. NTIA has been actively involved in the search for solutions to the challenges posed by information technologies to individual privacy since the early 1980s, when it worked closely with industry to develop the Organization for Economic Cooperation and Development (OECD) privacy guidelines. Its 1995 White Paper, Privacy and the NII, established a framework for safeguarding transaction information -- personal information associated with subscribing to and using a telecommunications or information service. Under the approach, companies would notify their customers about how their personal information would be used and obtain their consent, tacit or otherwise, before using it. This approach would give consumers more control over information maintained about them and allows them to make informed choices about the ways in which data about them is used. And, it would do so without imposing inflexible regulation on the GII in this early stage of its technological and policy development.

Since issuing the White Paper, NTIA has worked with the private sector to monitor the voluntary implementation of data protection practices. We have realized that many questions remain about how self-regulation works and how it can be implemented. Most basically, we need to define what we mean, as the term "self-regulation" itself has a range of definitions. At one end of the spectrum, the term is used quite narrowly, to refer only to those instances where the government has formally delegated the power to regulate, as in the delegation of securities industry oversight to the stock exchanges. At the other end of the spectrum, the term is used when the private sector perceives the need to regulate itself for whatever reason -- to respond to consumer demand, to carry out its ethical beliefs, to enhance industry reputation, or to level the market playing field -- and does so.

NTIA uses the term in its broadest sense to encompass all these meanings. At a minimum, however, effective self-regulation must involve substantive rules as well as means to ensure that consumers know the rules, that companies actually do what they promise to do, and that consumers can have their complaints heard and resolved fairly.

In issuing this call for papers on self regulation and privacy, NTIA asked experts to explore the issues that arise in implementing self regulatory privacy protections. How do self regulatory regimes work in market economies? What elements if any are prerequisites to self regulation in an industry? What are the existing models for self regulatory regimes? Is self regulation inimical to the antitrust laws? What kinds of enforcement mechanisms are appropriate? How have businesses gone about self regulating, and where have they encountered benefits and challenges?

The first chapter of this volume explores what we mean when we talk about self regulation of privacy in a market economy. It explores the market for personal information and ways in which self regulation functions in such a market. Certain articles also consider instances in which self regulation may not be an appropriate means for protecting privacy, such as personal information about children.

Chapter 2 examines the antitrust issues that may arise when rival companies engage in self-regulation. The papers present opposing views. The first concludes that in the rapidly changing economic and technical environment of modern telecommunications and information systems, self regulation may inhibit naturally occurring market forces. The second author finds that industry self regulation of personal information use, while not exempt from antitrust laws, is unlikely to run afoul of those laws, so long as the rules imposed are designed to protect privacy and not to limit competition.

The papers in Chapter 3 propose models for self regulation. In this context, two of the papers explore issues raised by self regulatory approaches to protecting privacy by examining the experience of a specific company and a specific industry. Others consider the efforts of national bodies in implementing self regulatory regimes through standard setting and government-initiated legislation. The articles in chapter 4 attempt to define more specifically the preconditions and necessary elements of a self-regulatory regime for protecting privacy, highlighting the role of consumer education.

Chapter 5 highlights some of the technological and policy mechanisms available to make self regulation work, as well as the opportunities the Internet may offer to give individuals the ability to make decisions about the use and disclosure of personal information. One area of particular focus includes the tension between the desire of users of the Internet to be anonymous in online transactions and instances in which user accountability is required.

One paper considers a labeling system for privacy protection and the manner in which it facilitates consumer choice and control over information. Even when these mechanisms are in place and working well, however, disputes will inevitably arise. This chapter therefore also explores the potential of online arbitration to address privacy disputes. Arbitration is adaptable to any privacy policy and legal regimes, and the suggestion is therefore made that it may be best suited to resolving online disputes.

In the final chapter, corporations and trade associations describe their experiences in crafting and implementing internal policies to protect consumer information.

This volume presents a broad array of models -- and specific tools and mechanisms -- to further debate and help identify which approaches will make self regulation work. The contributions to this publication indicate that the private sector is implementing self regulation on a company-by-company basis. At the same time, economists, lawyers and privacy experts are exploring carefully the issues surrounding self regulation. The constant development of new information technologies may well enhance the feasibility of self regulation by placing choices about information privacy increasingly in the hands of consumers themselves. The experiences, models, technologies, and concerns discussed in this volume point to an ongoing and lively experiment in self-regulation.

As this experiment continues, it is important that thoughtful consideration be given to the potential for effective self regulation. NTIA has focused attention on self-regulation in part to afford it the benefit of closer analysis, and in part to further debate on whether it is a viable option for protecting privacy in the Information Age. This volume seeks to contribute to that process, by providing tools and by encouraging meaningful debate.